AEPD (Spain) - EXP202210212
AEPD - EXP202210212 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 28.05.2024 |
Published: | |
Fine: | 300 EUR |
Parties: | n/a |
National Case Number/Name: | EXP202210212 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lorea.mendi |
The DPA fined a controller €300 for using a video surveillance camera for home security which captured a neighbor’s patio.
English Summary
Facts
A resident (the controller) installed a video surveillance camera that recorded a portion of their property. The camera had a 360 view and faced the controller’s porch. Part of the camera’s range included the neighbors’ patio and garden.
The data subject filed a complaint with the Spanish DPA (AEPD). The controller did not respond to the DPA’s notices about the case. On 1 June 2023, the DPA initiated sanctioning proceedings against the controller.
Holding
The DPA found that the controller had infringed Article 5(1)(c) GDPR and issued a €300 fine.
The principle of data minimisation, the DPA wrote, generally prohibits the capture of images of public life. Under limited circumstances, video cameras that capture some private space may be necessary to ensure security. In such cases, cameras should capture the minimum portion necessary for the preservation of security.
In this case, the controller had other means available to them (i.e. installing the camera in another location) which would not record the neighbor’s patio and yard so extensively. It thus did not meet the necessity standard and was found to infringe the principle of data minimisation.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 File No.: EXP202210212 SANCTIONING PROCEDURE RESOLUTION From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) on 09/16/2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against B.B.B., with NIF ***NIF.1 (hereinafter, the respondent party). The claim is based on the existence of indications that the video surveillance camera that the respondent party has installed in the property on ***ADDRESS.1 street violates the personal data protection regulations. The complainant has stated that “in the adjoining house” “a video surveillance camera has been installed that may be focusing on her house due to the position in which it is placed.” That she and her family, which includes two minor children, feel intimidated and do not go about their daily lives due to the pressure caused by feeling watched. She adds that “she does not know if the camera is recording or receiving images instantly or if it is a camera without any type of image reception” but that at no time has she given authorization to the respondent party to install cameras that focus on her and her family, whether or not they are recording. She provides the following documents: -Copy of the complaint filed on 09/07/2022 with the Civil Guard. In it, he declares that on that day he noticed that the neighbour of the house next to his own “has installed a video surveillance camera right on the roof of the entrance of said house and that he presumes that it could perhaps be recording images of his house”. That, previously, the camera was installed on the access door and that he has moved it to the indicated place. That the camera is not wired, so it could be wireless. - Photo report: Three photographs that allow to see where the video camera is located in the house of the respondent party and its position in relation to that of the complainant party. The camera, of “Dome” format or similar - whose vision and recording index is 360 degrees - is attached to the roof of the porch of the respondent party's house right where his house ends and that of the complainant begins, next to the dividing wall that separates them. The dividing wall is half-height, slightly higher than the garden fence, so that the installed camera can record the garden or patio of the complainant's home. In the case of the respondent's home, there is a porch next to the garden, at the right end of which the dividing wall is located. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/12 On 06/03/2023, a new letter was received from the complainant in which it reports that the camera is still installed; that it does not know whether it is recording or not and that the facts that were brought to the attention of the Agency on 16/09/2022 persist. He provides four photographs: It is observed that the location of the camera remains the same and that the complainant has installed a panel on the vertical of the dividing wall that separates the houses in order to increase its height, which would reduce the view of the video camera on his house. Despite this, due to its position and the technical characteristics that it appears to have, the camera could capture images of the outside patio of the complainant's house. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to the respondent party so that it could proceed to analyze it and inform this Agency within one month of the actions carried out to comply with the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the regulations of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was not collected by the recipient: The transfer was carried out by post on 10/04/2022. It was “Returned to Origin for Surplus (Not picked up at office)" on 10/14/2022. The two delivery attempts (dated 10/6 and 7/2022) had the same result: “03 Absent”. A notice was left in the mailbox. This is stated in the Certificate of Impossibility of Delivery issued by Correos y Telégrafos, S.A.E. (hereinafter, Correos) The shipment was repeated on 10/20/2022. The certificate issued by Correos states “It has been returned to Origin for 02 Incorrect address on 10/26/2022”. According to this certificate, only one first delivery attempt was made, on 10/24/2022, with the result “03. Absent”. It was reiterated a second time by postal mail dated 11/02/2022 that It was “Returned to Origin due to Surplus (Not picked up at office)” on 11/14/2020. Two delivery attempts were made - on 11/4 and 11/7/2022 - with the result “03 Absent”. A notice was left in the mailbox. No response has been received to this transfer letter. THIRD: On 11/29/2022, in accordance with article 65 of the LOPDGDD, the claim submitted by the claimant is admitted for processing, which is notified, and recorded as received by the claimant, on 12/14/2022. FOURTH: On 01/06/2023, the Director of the Spanish Data Protection Agency agrees to initiate sanctioning proceedings against the respondent party for the alleged infringement of article 5.1.c) of the GDPR, as defined in article 83.5.a). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/12 The agreement to open the procedure is notified to the respondent party by post with an absent result. In this regard, the file contains the document Certification of Impossibility of Delivery issued by Correos on 07/07/2023, which certifies that the shipment addressed to the respondent at the address “***ADDRESS.1” has been returned to origin due to surplus on 05/05/2023. It offers this information: The first delivery attempt is made on 06/26/2023, at 12:28, with a result of “03 Absent”. The second attempt is on 06/28/2023, at 15:58, with a result of “03 Absent”. “Notice was left in the mailbox”. In accordance with the provisions of article 44.1 of the LPACAP, the notification was made through an announcement published in the Official State Gazette (BOE), Notification Supplement, dated 07/12/2023. FIFTH: Having notified the start agreement in accordance with the rules established in the LPACAP and having passed the period granted for the formulation of allegations, it has been verified that no allegation has been received from the respondent party. Article 64.2.f) of the LPACAP - a provision of which the respondent party was informed in the agreement to open the procedure- establishes that, if no allegations are made in the period provided for regarding the content of the agreement to open the procedure, when it contains a precise statement regarding the imputed liability, it may be considered a resolution proposal. The agreement to open the procedure determined the facts in which the infringement of the GDPR attributed to the respondent party was specified and the sanction that could be imposed. Therefore, taking into account that the respondent party has not made allegations to the agreement to open the procedure, and in accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement to open the procedure is considered in the present case a resolution proposal. In view of all the actions taken, the Spanish Data Protection Agency in the present procedure considers the following facts to be proven: PROVEN FACTS FIRST: The complainant filed a complaint on 09/16/2022 in which she states that in the house next to hers (house on the street of ***ADDRESS.1) a video surveillance camera has been installed that may be focusing on her house due to the position in which it is placed and that she and her family, among which there are two minor children, feel intimidated and do not go about their daily lives due to the pressure caused by feeling watched. SECOND: The facts stated by the complainant were reported by her to the Civil Guard on 09/07/2022. She provides a copy of the complaint. THIRD: There are seven photographs in the file provided with the claim that clearly show these points: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/12 - Both houses are adjacent and the dividing wall is half-height. - In the property of the claimant, the dividing wall is followed by the garden or patio. In the property of the claimant there is a porch next to this wall. - A video camera is installed on the roof of the porch, at the end that coincides with the vertical line of the dividing wall, and in the part of it furthest from the house. - The camera, spherical in shape, has the characteristics of the “Domo” model, with 360º viewing and recording capacity. - The location of the camera and the characteristics of the construction perfectly allow the recording of the garden/patio of the complainant's home. FOURTH: The file provided by the respondent on 06/03/2023 contains four photographs that show these points: - That the location of the camera remains the same as that reflected in the photographs provided with the claim. - That a panel appears installed on the vertical line of the dividing wall that separates the homes, on the side of the claimant's home, which attempts to reduce the camera's range of vision of her home. Despite this, due to the position and characteristics of the camera, it could continue to capture images of the garden/outside patio of the claimant's home. FIFTH: The respondent has not made any objections to the start agreement. BASIS OF LAW I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of the GDPR and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II The image is personal data Article 4.1 of the GDPR defines personal data as “any information about an identified or identifiable natural person («the data subject») […]”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/12 Therefore, the image of a natural person is personal data, for example, images generated by a camera or video camera system, and its processing is subject to data protection regulations. It is worth mentioning the SAN of 21/03/2023, Rec. 330/2021, which states that the image of a person is personal data and indicates that it has “[…] declared on multiple occasions (SSAN of 19/12/2018, Rec. 286/2017 and of 27/12/2019, Rec. 786/2018) that the image of a person constitutes personal data within the meaning of […] current Article 4.1 of the General Data Protection Regulation (GDPR) to the extent that it allows the identification of the affected person, as indicated by the judgment of the Court of Justice of the European Union of 11 December 2014 (case C-212/13)”. III Principles of data protection and data processing for video surveillance purposes Article 6.1 of the GDPR establishes the assumptions that allow the processing of personal data to be considered lawful. Regarding processing for video surveillance purposes, article 22 of the LOPDGDD provides that natural or legal persons, public or private, may carry out image processing through camera or video camera systems for the purpose of preserving the security of persons and property, as well as their facilities. The processing of personal data is subject to the rest of the principles of processing contained in article 5 of the GDPR. We will highlight the principle of data minimisation contained in article 5.1.c) of the GDPR, which provides that personal data will be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. This means that, in a specific processing, only the appropriate personal data may be processed; that are relevant and that are strictly necessary to fulfil the purpose for which they are processed. The processing must be adjusted and proportionate to the purpose for which it is directed. The relevance of the data processing must be present both at the time of data collection and in the subsequent processing of these. In accordance with the above, the processing of excessive data must be restricted or deleted. The application of the principle of data minimization in the field of video surveillance means that images of public roads cannot be captured, since the processing of images in public places can only be carried out by the Security Forces and Corps with prior government authorization. On some occasions, for the protection of private spaces where cameras have been installed on facades or inside, it may be necessary, to guarantee the security purpose, to record a portion of the public road. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/12 That is to say, cameras and video cameras installed for security purposes may not obtain images of public roads unless it is essential for this purpose or it is impossible to avoid this due to their location. And, in such extraordinary cases, the cameras may only capture the minimum portion necessary to preserve the safety of people and property, as well as the facilities. In no case will the use of surveillance practices beyond the environment object of the installation be permitted and, in particular, they may not affect the surrounding public spaces, adjacent buildings and vehicles other than those that access the monitored space. The cameras installed cannot take images of private third-party spaces and/or public spaces without a duly accredited justified cause, nor can they affect the privacy of pedestrians who circulate in the area. Therefore, the placement of cameras towards the private property of neighbors with the purpose of intimidating them or affecting their private sphere without a justified cause is not permitted. Nor can images be captured or recorded in spaces owned by third parties without the consent of their owners, or, where appropriate, of the people who are in them. Likewise, it is disproportionate to capture images in private spaces, such as changing rooms, lockers or workers' rest areas. IV Obligations regarding video surveillance In accordance with the above, the processing of images through a video surveillance system, in order to comply with current regulations, must comply with the following requirements: 1.- Natural or legal persons, public or private, may establish a video surveillance system for the purpose of preserving the security of persons and property, as well as their facilities. It must be assessed whether the intended purpose can be achieved in another way that is less intrusive to the rights and freedoms of citizens. Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means (Recital 39 of the GDPR). 2.- The images obtained cannot be used for a subsequent purpose incompatible with that which motivated the installation of the video surveillance system. 3.- The duty to inform those affected, as provided for in articles 12 and 13 of the GDPR and 22 of the LOPDGDD, must be complied with. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/12 In this regard, article 22 of the LOPDGDD provides for a “layered information” system in relation to video surveillance. The first layer must refer, at least, to the existence of the treatment (video surveillance); to the identity of the person responsible; to the possibility of exercising the rights provided for in articles 15 to 22 of the GDPR and to the indication of where to obtain more information on the processing of personal data. This information will be contained in a device placed in a sufficiently visible place and must be provided in advance. The information in the second layer must be available in a place that is easily accessible to the affected party, whether it is an information sheet in a reception area, ATM, etc., placed in a visible public space or on a web address and must refer to the other elements of article 13 of the GDPR. 4.- The processing of images through the installation of camera or video camera systems must be lawful and comply with the principles of proportionality and data minimisation in the terms already indicated. 5.- The images may be kept for a maximum period of one month, unless they must be kept to prove the commission of acts that threaten the integrity of persons, property or facilities. In such a case, they must be made available to the competent authority within a maximum period of 72 hours from the moment the existence of the recording becomes known. 6.- The controller must keep a record of the processing activities carried out under his/her responsibility, which includes the information referred to in article 30.1 of the GDPR. 7.- The controller must carry out a risk analysis or, where appropriate, an impact assessment on data protection, to detect the risks derived from the implementation of the video surveillance system, assess them and, where appropriate, adopt the appropriate security measures. 8.- When a security breach occurs that affects the processing of cameras for security purposes, provided that there is a risk to the rights and freedoms of natural persons, the AEPD must be notified within a maximum period of 72 hours. A security breach is understood to be the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to said data. 9.- When the system is connected to an alarm center, it may only be installed by a private security company that meets the requirements contemplated in article 5 of Law 5/2014 on Private Security, of April 4. The Spanish Data Protection Agency offers access through its website [https://www.aepd.es] to: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/12 • the legislation on personal data protection, including the RGPD and the LOPDGDD (section “Reports and resolutions” / “regulations”), • the Guide on the use of video cameras for security and other purposes, • the Guide for compliance with the duty to inform (both available in the section “Guides and tools”). Also of interest, in the case of carrying out low-risk data processing, is the free tool Facilita (in the “Guides and tools” section), which, through specific questions, allows the data controller’s situation to be assessed with respect to the processing of personal data that it carries out and, where appropriate, generate various documents, information and contractual clauses, as well as an annex with indicative security measures considered minimum. V Violation of article 5.1.c) of the GDPR The respondent party is accused of violating the principle of data minimization established in article 5.1.c) of the GDPR, which states: “Personal data shall be: […] adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).” The respondent party is considered the data controller, which is defined in Article 4.7 of the GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing.” The principle of data minimization is binding on the data controller. Furthermore, the data controller is obliged, by virtue of the principle of proactive responsibility contained in Article 5.2 of the GDPR, to comply with the principles described in Article 5.1 - which is why the principle of data minimization is now relevant - and to be in a position to demonstrate compliance. Recital 39 of the GDPR states regarding data minimization that “Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means.” In the present case, it has been proven through the documentation in the file that: -In the defendant's home, next to the intersection of the latter and the claimant's home, almost vertically above the dividing wall that separates them, a video surveillance camera is installed. The camera is located on the roof of a porch of the defendant's home, at its right end, vertically above the dividing wall, of medium height, that separates both homes. -The external characteristics of the installed camera coincide with those of the "Domo" model, with a 360-degree vision and recording index. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/12 It is therefore evident that the installed camera can capture images of the interior of the claimant's home: the patio or garden. Also, the respondent party can place the camera in other parts of his home and guarantee the safety of his person, property and facilities, without it being necessary in any case for such purpose to keep it in the place where it is located. Therefore, it is proven that the respondent party has not respected the due proportionality between the data processing that it carries out through its video camera and the purposes for which such processing is authorized by the GDPR: the security of people, property and facilities. This purpose is incompatible with the camera capturing images of the interior of a private home (article 22.2 LOPDGDD), such as, in the present case, the patio or garden of the complainant party's home. In view of the above, it is concluded that the processing carried out by the respondent party through the video surveillance system installed in his home, at the location of which there is documentary evidence, violates the principle of minimisation of personal data established in article 5.1.c) of the GDPR. VI Classification of the infringement of article 5.1.c) of the GDPR The infringement of article 5.1.c) of the GDPR, for which the respondent party is held responsible, is classified in article 83.5. of the GDPR, which states: “Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, an amount equivalent to up to 4% of the total annual global turnover of the previous financial year, whichever is higher: a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9.” The LOPDGDD, for the sole purpose of determining the limitation period for the infringement, classifies the violation of Article 5.1.c) of the GDPR as very serious and sets a limitation period of three years for it. Article 72.1 of the LOPDGDD states: “In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations: a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679.” VII Administrative fine C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/12 Data controllers are subject to the sanctioning regime established in the GDPR and the LOPDGDD (article 70 LOPDGDD) Among the corrective measures that the Agency, as a supervisory authority, can adopt and that are detailed in article 58.2 of the GDPR, it includes (section i) the possibility of imposing an administrative fine in accordance with article 83 of the GDPR. In turn, article 83.1 of the GDPR requires supervisory authorities to ensure that the administrative fines they impose for breaches of the GDPR are, in each individual case, effective, proportionate and dissuasive. In addition, to determine its amount, the GDPR provides some criteria or grading factors in article 83.2 of the GDPR. Article 83.5 of the GDPR provides for a fine of up to 20 million euros for the infringement of article 5.1.c) of the GDPR, for which the respondent is held responsible. In the particular case at hand, in consideration of the provisions of articles 83.1 and 83.2 of the GDPR, it is agreed to impose an administrative fine of 300€ (three hundred euros) on the respondent party for the infringement of article 5.1.c) of the GDPR. VIII Corrective measures imposed on the respondent party Article 58.2 of the GDPR grants supervisory authorities the possibility of adopting various corrective measures, including, section d), “ordering the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period”. In this resolution, in light of the circumstances and in application of Article 58.2.d) of the GDPR, the respondent party is ordered to: -Remove the camera or video camera system from the location where it is currently installed, as evidenced by the documentation in the file. -Or, to proceed to adopt appropriate technical measures (such as a privacy mask) to prevent viewing images of the complainant's home. The respondent party must adopt the corrective measure ordered here and prove compliance to this Agency within 10 business days from the date this resolution became enforceable. The respondent party is advised that failure to comply with the requirements of this agency may be considered an administrative violation in accordance with the provisions of the GDPR, as defined in its articles 83.5 and 83.6, with this non-compliance giving rise to the opening of a subsequent administrative sanctioning procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/12 Therefore, in accordance with applicable legislation and having assessed the criteria for graduating sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE on B.B.B., with NIF ***NIF.1, for an infringement of article 5.1.c) of the GDPR, classified in article 83.5.a) of the GDPR, a fine of €300 (three hundred euros). SECOND: ORDER B.B.B., with NIF ***NIF.1, pursuant to article 58.2.d) of the RGPD, to, within ten business days from the date this resolution becomes enforceable, prove to this Agency the removal of the video camera from its current location or the adoption of technical measures, such as the privacy mask, to demonstrate that its video camera system cannot capture images of the complainant's home adjacent to his/her own. THIRD: NOTIFY this resolution to B.B.B., with NIF ***NIF.1 FOURTH: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is hereby notified that he/she must pay the sanction imposed once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of the LPACAP, within the voluntary payment period established in article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to article 62 of Law 58/2003, of 17 December, by means of its payment, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account number IBAN: ES00-0000- 0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, the collection will be carried out during the enforcement period. Once the notification has been received and the resolution is enforceable, if the date of enforcement is between the 1st and 15th of each month, both inclusive, the deadline to make the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with article 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this resolution or directly an administrative appeal before the Administrative Litigation Division of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/12 National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within a period of two months from the day following notification. of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that, in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party expresses his intention to file an administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, submitting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through one of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the precautionary suspension. 938-16012024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es